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(54) Method for access control of MIB in OSI management 



(57) The managed object instance is used as ac- 
cess control unit, then access denial and pernnission are 
quickly decided. After a pre-process to the naming tree 
which is an object of access control, IVIOI included within 
every scope which can be designated by the manage- 
ment operation is obtained. At every issue of the man- 



agement operation, access denial and permission are 
decided by using the data obtained in the pre-process. 
When the configuration of the naming tree is changed, 
the data are easily and rapidly revised, then the access 
control is adaptive to the dynamic change of the naming 
tree. 
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Description 

FIELD OF THE INVENTION 

5 This invention relates to a method for access control on Ml B (Management Information Base) in OS! (Open System 

Interconnection) Management. More especially, this invention relates to an access control method in which a manage- 
ment object instance is used as an access unit. Furthermore, this invention relates to a method for converting an 
identification name of MOI (Management Object Instance), a method for enumeration of some scope of MOI, a method 
for enumeration of a target of MOI and a method for detecting an intersection of MOI. 

10 

BACKGROUND OF THE INVENTION 

Words on a tree, a network management based on an OSI management, MOI and a name tree, scope and target, 
and an abstract of ITU-T recommendation on access control method are described. 

15 

(Words on a tree) 

Words such as "parent" on a tree are described. 

A set having one or more top point is called as a tree if following conditions0and(2)are satisfied. 

20 

(j)A set T has a specific top point called as a root. 

@A set T of tops except for the root is divided to a vacant set or one or more trees T-, T^^ which have no common 
set each other. These sets are called as a directly partial tree. 

25 A root of a tree having no directly partial tree is called as a leaf. A top point which is not a root and not a leaf is 

called as a inner point. Flg.1 9 shows a tree T which has nine top points indicated by circles 0-^8. 

In Fig. 1 9, the top point 0 is a root. There are two directly partial trees T-, , T2 in the tree T. One directly partial tree 

T-| comprises one top point 1 , another directly partial tree T2-1 comprises top points 2,3,4,5,6,7 and 8. Because the tree 

T-i has no directly partial tree, the root 1 of the tree T-, is a leaf of the tree T. 
30 A top point which is included in the directly partial tree of the tree T of which root is a top point v is called as a 

descendant of the top point v and the root of the directly partial tree is called as a child of the top point v The point V 

is a parent of the child. In Fig. 19, Descendants of the point 2 are the points 3 ~8, child of the point 2 are the points 

3~5. A parent of the points 3~5 is the point 2. 

A length a rout from the root to each point is called as a level of the point and a maximum length among these 
55 routs is called as a depth of the tree T. In Fig.1 9, Length of the rout from the root to the leaf 6 or 7 or 8 is maximum, 

the depth is 3. 

In the table 1, a type of each point, parent, child, descendant and level of the tree T are shown in Fig. 19. 



(table 1) 



50 



top point 


type 


parent 


child 


descendant 


level 


0 


root 


none 


{1:2} 


{1-8} 


0 


1 


leaf 


0 


{} 


{} 


1 


2 


inner point 


0 


{3-5} 


{3-8} 


1 


3 


inner point 


2 


{6-8} 


{6-8} 


2 


4 


leaf 


0 


{} 


{} 


2 


5 


leaf 


0 


{} 


{} 


2 


6 


leaf 


0 


{} 


{} 


3 


7 


leaf 


0 


{} 


{} 


3 


8 


leaf 


0 


{} 


{} 


3 



(Network management based on OSI management) 

In a network management system based on the Open System Interconection (OSI), an abstractly described man- 
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agement object is defined as some MO (Managed Object) and an information of tine MO is exclnanged between a 
manager system and an agent system by using CMIS (Common Management Information Service). See [ITU-T. Rec. 
X.711 , Common Management Information Protocol for ITU-T Applications, Mar. 1 991 ] and [Hisao Ohkane, TCP/IP and 
OSI networkmanagment—SNMPandCMIP — , Software Research Center, 1993]. Hereinafter, the management system 
5 is called as a manager and the agent system is called as an agent. 

Fig.1, shows a network management based on OSI management. In Fig.l, The network management is by a 
network management system and a managed apparatus. The network management system comprises a management 
console 1 1 and a manager 1 2. The managed apparatus comprises an agent 1 3 and an MIB (Management Information 
Base) 14. In the MIB, a group of MO such as total number of packets to be transferred, total number of received packets 
70 and total number of received packets including error are stored. The network management is achieved by exchanging 
a management information on MO through a network 15 between the manager 12 and the agent 1 3, on the basis of 
using the CMIP (Common Management Information Protocol). 

For example, when the manager 12 issued a management operation 16 that means "get" of a number of already 
received packets, the agent 13 sends a response 17 such as "88 packets" from content of the MIB 14. 

15 

(Managed object instance and name tree) 

Regarding to MO, a kind of Mo having same character is called as MOC (Managed Object Class). Each instance 
belong to a certain MOC is called as an MOI (Managed Object Instance). For example of MOC, a printer MOC 18 is 
20 shown in Fig. 2(A) and a printer MOI 19 in the printer MOC 18 is shown in Fig. 2(B). 

Regarding to a naming tree, in Fig. 3, the logical naming tree comprises a plural number of MOI 20 shown by white 
circles. A group of MOI is managed by a tree construction and stored in the MIB. For example of the naming tree, the 
naming tree 22 of a telecommunication carrier 21 indicated by [XXX]. 

25 (Scope and Filter) 

In CMIS, there are some scope (scope parameter) and some filter (filter parameter) by which one management 
operation enables to operate a plural number of MOI for reducing a number of telecommunication between the manager 
and the agent. Generally, scope and filter are set by an operator and an application program. 
30 Scope is a parameter for designating a range of MOI to be managed in the naming tree. When using scope, BOI 

(Base Object Instance) is designated, wherein BOI is a start point in the designation of the range. Table 2 shows four 
kinds of scope defined by CMIS, namely BaseObject scope, BaseToNth Level scope (N is not a minus integer), Nth- 
LevelOnly scope (N is not a minus integer) and WholeSubtree scope. Fig. 4 shows some scope. In Fig. 4, BOI is MOI 
23 indicated by a black circle. 

35 



(table 2) 



scope 


definition 


BaseObject 


A range is only BOI. 


BaseToNth Level 


A range is a group of all MOI from BOI to Nth level MOI. BOI itself is included. 


NthLevelOnly 


A range is a group of MOI just below Nth level from BOI. 


WholeSubtree 


A range is a group all MOI below BOI. BOI itself is included. 



Namely, 



1. As shown in Fig. 4(A), an object of the management operation of BaseToNthLevel scope is only BOI 23. 

2. As shown in Fig. 4(B), objects of the management operation of BaseObject scope are BOI 23 and a group of all 
MOI from BOI 23 to Nth level (in Fig.4(B), N=2) MOI. 

3. As shown in Fig. 4(C), objects of the management operation of NthLevelOnly scope are only a group of MOI just 
below Nth level (in Fig.4(C), N=3) MOI from BOI 23. 

4. As shown in Fig. 4(D), objects of the management operation of WholeSubtree scope are BOI 23 and a group of 
all MOI below from BOI 23. 

Filter is a parameter for designating further an object of a management operation from the MOI group in the range 
designated by scope. Filter is a logical equation indicating a size of MOI, coincidence of MOI and existence of MOI 
itself. For example of a filter using an attribute of Printer MOI 19 shown in FIG.2, there is a filter that (connection 
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interface = RS232C) and (a nunnber of printed sheets before last one hour > 50), wherein "and" is a logical product. 

(Abstract of access control based on ITU-T recommendation X.711) 

5 For an interconnection among telecommunication carriers^ the network management based on OSI management 

is opened and security function such as an access control is very important. In ITU-T recommendation X.71 1 , "initiators" 
MOC, "targets" MOC and "rule" MOC are described and a plan for deciding denial and permission of the access. See 
[ITU-T. Rec. X.711 , System Management : Object and attributes for access control, De c. 1995]. 
Namely, 

10 

1. The "initiators" MOC is an MOC which indicates an initiator (an origin of issue of a management operation). 

2. The "targets" MOC is an MOC which indicates an MIBto be protected or to be opened against a certain authority 
An object to be protected and an object to be opened are called as a target. The target is designated by scope 
and filter. 

?5 3. The "rule" MOC is an MOC which indicates five rules for deciding denial and permission of the access from the 

"initiators" MOC and " targets" MOC. 

4. As shown in Fig. 5, as five rules of "rule" MOC, there are a global denial rule which denies an access of the 
management operation to all object, an item denial rule which denies an access of the management operation to 
some object, a global permission rule which permits an access of the management operation to all object, an item 

20 permission rule which permits an access of the management operation to some object and an default rule which 

is applied when it is impossible to decide denial and permission by before-mentioned four rules. 

5. Decision of denial and permission is done according to a process shown Fig. 5. In the step S1, it is judged 
whether a global denial rule to be applicable exists or not. If the rule exists, all of access are denied. If the rule 
does not exist, in the next step S2, it is judged whether an item denial rule to be applicable exists or not. If the rule 

25 exists, an access according to an access unit is denied. The access unit will be described after If the rule does 

not exist, in the next step S3, it is judged whether a global permission rule to be applicable exists or not. If the rule 
exists, all of access are permitted. If the rule does not exist, in the next step S4, it is judged whether an item 
permission rule to be applicable exists or not. If the rule exists, an access according to an access unit is permitted. 
If the rule does not exist, in the next step S5, an access permission or an access denial is decided by the default 

30 rule. The default rule, generally, is set so as to deny the access. 

As access unit, there are a management operation (a rough access unit), an MOI being an object in a management 
operation (a moderate access unit) and an attribution of an MOI being an object in a management operation (a fine 
access unit). In the case of any access unit, an algorism is necessary to decide denial and permission, wherein the 
55 algorism decides an intersection between an object of management operation and the protect object, or decides an 
object of management operation included within the open object. 

However, such algorism is not prescribed by an ITU-T recommendation X.711 at all. 

Prior art will be described. 

40 

(access control by using a management operation as the access unit) 

There is known access control by using a management operation as the access unit reported by [Ohno, Yoda, 
Fujii ; Access Control Method in Telecommunication Network, CS94(39): 1 9-24, Jun. 1994]. 
45 This prior art will be described referring to Fig. 6 and table 3. The naming tree T shown in Fig. 6 is comprises MOI 

indicated by A~N. Corresponding to the naming tree T, as shown in table 3, "initiators" MOC, "targets" MOC and "rule" 
MCC are defined. MOI^, MOIg, MOI^. • • • MOI^g are used, in the case of designating each MOI. 



(table 3) 



MOC 


MOI 


initiators 


X 


initiators 


Y 


targets 


MOIc ,MOIf, MOIq, MOIj : targets 1 


targets 


MOI D ,MOI F , MOIq : targets 2 


rule 


X can not access to targets 1 . (item denial rule : rule 1 ) 
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(table 3) (continued) 



MOC 


MOI 


rule 


Y can access to targets 2. (item permission rule : rule 2) 


rule 


All management operation are denied, (default rule : rule 3) 



table 3, the initiators X and the initiators Y are defined as MOI belonged to the "initiators" MOC. The initiators X is MOI 
indicating the origin X of issue of the management operation and the initiators Y is MOI indicating the origin Y of issue 

70 of the management operation. Further, the targets 1 and the targets 2 are defined as MOI belonged to "targets" MOC. 
The targets 1 is MOI of which protect object and open object are MOI q MOI p MOIq and MOIj . The targets 2 is MOI 
of which protect object and open object are MOI^ MOIp and MOIq. The rule 1, the rule 2 and the rule 3 are defined 
as MOI belonged to "rule" MOC. The rule 1 is an item denial rule which denies any management operation from the 
origin X of issue, the rule 2 is an item permission rule which permits all management operations from the origin Y of 

15 issue and the rule 3 is a default rule which denies any management operation from all origin of issue. 

(Decision of access denial in Fig. 6 and table 3 : process of item denial rule) 

For example, if a management operation having "WholeSubtree scope" of which BOI is MOIj from initiator X the 
20 item denial rule 1 is applied according table 3. At this time, as shown in Fig. 7, because MOIj in the management 
operation 24 is included within protect object 25, the management operation is denied. 

Therefor, in the case of using the management operation as an access unit, if there is an intersection between a 
part of the object of the management operation and the protect object, the management operation is denied. 

25 (Decision of access permission in Fig. 6 and table 3 : process of item permission rule) 

For example, if a management operation having "2ndLevelOnly scope" of which BOI is MOI^^ from initiator Y, the 
item permission rule 2 is applied according table 3. At this time, as shown in Fig. 8, because MOI^ in the management 
operation 26 is not included within open object 27, the management operation is not permitted. 
30 Therefor, in the case of using the management operation as an access unit, if all the object included within open 

object, the management operation is not allowed. 

As mentioned-above, in the prior art access control using the management operation as an access unit, if there 
is an intersection between object of the management operation and the protect object, MOI to which access is not 
permitted occurs even if the access should not been denied. 
35 Further, in the prior art access control using the management operation as an access unit, if there is an intersection 

between object of the management operation and the protect object, MOI to which access is denied occurrs even if 
the access is permitted. 

These problems do not occur in an access control using the MOI as an access unit. 

Then, an object of the present invention is to provide a new access control using the MOI as an access unit. 
40 Another object of the present invention is to provide a method for exchanging the identification name, a method 

for scope enumeration, a method for target enumeration and a method for detecting an intersection. 

SUMMARY OF THE INVENTION 

45 In the present invention, a pre-process is provided for reducing a time require to the denial and permission of 

access rather than the prior art. In this pre-process, a corresponding table, which indicates a relation between scope 
and a set of MOI included to the scope. Then, at every issue of the management operation, an intersection between 
the management operation and the protect object is decided by referring to the table. Further, at every issue of the 
management operation, a management operation included to the open object is obtained by referring to the table, then 

50 access denial and access permission are rapidly decided. 

Namely, in the present invention, an identification name of MOI on the naming tree is exchanged to an index. The 
present invention is a method for converting a name of MOI (Managed Object Instance) in a name tree to an index, 
wherein "n" denotes a number of MOI in the name tree, "[x]" denotes an integer rounded up from a value x and "XOR" 
denotes an exclusive OR, said method comprising: 

55 

a step for dividing a bit sequence to m blocks Bi (1 ^ i ^ m), wherein a number of each block is N which is given 
as a [log2n], 

a step for calculating an exclusive OR of a j-th bit by (1 ^ j ^ N) of each block Bj as Cj = bij XOR b2, XOR bjg • • • 
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a step for making an N bits sequence C-1C2C3 ... as an index of an identification name by putting said calculated 
value Cj from C-, to C^, 

5 wherein a value "0" is applied to an m-th block if an insufficiency of a bit occurs in the m-th block . 

The present invention is a method for enumeration of some scope wherein, regarding to each scope all of which 
can be designated in a management operation, an arrangement "scope[]" of which size is n and which represents an 
IVIOI included in the scope is obtained as, 

scope[i]=1 if an MOIj is included in the scope, 
70 scope[i]=0 if an MOIj is not included in the scope. 

The present invention is a method for enumeration of some scope wherein, when new MOlm^ is added to a name 
tree, the MOlm^ is added to a BaseTojth Level scope (i ^ j) of which BO! (Base Object Instance) is an MOIj (1 ^ i ^ 
p), a WholeSubtree scope and an ithLevelOnly scope, wherein MOI on a route from a MOlm-, upper than MOlm^ to a 
root MOImp in the MOlm^ to be added is put in order from MOIm-i as MOlm-, , MCIm2, • • • MOImp. 
75 The present invention is a method for enumeration of some scope wherein, when an MOIm^i is deleted from a 

name tree, the MOim^i is deleted from a BaseTojth Level scope (i ^ j) of which BOI (Base Object Instance) is an MOIj 
(1 :< i < p), a WholeSubtree scope and an ithLevelOnly scope, wherein MOI on a route from a MOlm-, upper than 
MOlm^ to a root MOImp in the MOlm^ to be deleted is put in order from MOlm-, as MOlm-,, MOIm2, • • • MOImp . 

The present invention is a method for enumeration of a target wherein, regarding to each targets MOI which is a 
20 protect target to be protected from an authority or an open target to be opened to an authority an arrangement "targets 
[]" of which size is n and which represents the target MOI is obtained as, 
targets[i]=1 if an MOIj is protected or opened, 
targets[i]=0 if an MOIj is not protected and not opened. 
The present invention is a method for making a table wherein, regarding to each scope all of which can be desig- 
25 nated in a management operation, a table corresponding to an MOI included in the scope is made. 

The present invention is a method for detecting an intersection wherein, an intersection between a management 
object and a protect object is obtained by calculating in each bit a logical product (logical and) between the "scope[]" 
obtained by any of above-mentioned methods and a denial of the "targets[]" obtained by above-mentioned method. 
The present invention is a method for detecting an intersection wherein, an intersection between a management 
30 object and a protect object is obtained by calculating in each bit a logical product (and) between the "scope[]" obtained 
by any of above-mentioned methods and the "targets[]" obtained by above-mentioned method. 

The present invention is an access control method by using MOI as an access unit comprises;a step for calculating 
in each bit a logical product (logical and) between a denial of each "targets[]" in an item denial rule obtained by above- 
mentioned method and the "scope[]" obtained by any of above-mentioned methods, and a step for allowing only an 
55 MOI of which scope[i]=1 based on said calculation. 

The present invention is an access control method by using MOI as an access unit comprises;a step for calculating 
in each bit a logical product (logical and) between each"targets[]" in an item permission rule obtained by above-men- 
tioned method and the "scope[]" obtained by any of above-mentioned methods, and a step for allowing only an MOI 
of which scope[i]=1 based on said calculation. 
40 These access control are adaptive to a dynamic change of the naming tree based on the management operation 

such as M-CREATE and M-GET. Namely based on the management operation such as M-CREATE and M-GET, a 
new MOI is generated or added to the naming tree, or, an old MOI is deleted from the naming tree. Therefor, it is 
necessary to renewal the corresponding table. In the present invention, it is possible to easily revise a part to be 
changed, then it is not necessary to change all of the table. 

45 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows an abstract of a network management based on OSI management. 
Figs. 2(A) and 2(B) show examples of MOC and MOI. 
50 Fig. 3 shows a naming tree. 

Fig. 4(A) shows scope. 
Fig. 4(B) shows scope. 
Fig. 4(C) shows scope. 
Fig. 4(D) shows scope. 

55 Fig. 5 shows a process of decision of denial and permission based on ITU-T recommendation X.711 . 

Fig. 6 shows a naming tree. 
Fig. 7 shows a prior art. 
Fig. 8 shows a prior art. 
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Fig. 9 is a flow cinart sinowing a winole of access control based on the present invention. 
Fig. 10 is a flow chart showing the pre-process. 
Fig. 11 shows a step for conversion of the identification name. 
Fig. 12 shows a step of enunneration. 
5 Fig. 1 3 shows a naming tree for enumeration. 

Fig. 14 is a flow chart showing access denial and access permission of access control based on the present 
invention. 

Fig. 15 is a flow chart for renewal of the corresponding table in the case of adding IVIOI. 
Fig. 16 is an example for renewal of the corresponding table in the case of deleting MOI. 
70 Fig. 17 is a flow chart for renewal of the corresponding table in the case of deleting MOI. 

Fig. 18 is an example for renewal of the corresponding table in the case of deleting MOI. 
Fig. 1 9 shows a naming tree. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

An embodiment of the present invention will be explained referring to the drawings. 

As shown in Fig. 9, in a step SO, a pre-process is carried out to the naming tree which is an object of access control 
for achieving a rapid access denial and permission. In the pre-processing, at every scope all of which is designated 
by the management operation, all MOI included within the scope. One time of the pre-processing is sufficient. 

After pre-processing, in a step SI, a management operation is issued. Then, in a step S2, access denial and 
access permission are decided by using a corresponding table which was made in a step for table making in the pre- 
processing. 

In a step S3, it is judged whether a generation or deletion of MOI. If MOI is changed, a renewal of the corresponding 
table is carried out before next decision of access denial or access permission of the management operation. 

(Abstract of pre-processing) 

As shown in Fig. 10, in the pre-processing, an identification name of MOI is converted in a step SI. After the step 
SI , at every scope all of which is designated by the management operation, all MOI included within the scope in a step 
30 S2. Then, in a step S3, the corresponding table which corresponds to a relation between scope and a set of MOI 
included within the scope. 

(Detailed description 1 of pre-processing : conversion step of identification name) 

The identification name of MOI is encoded according to BER (Basic Encoding Rules) of ASN.1 (Abstract Syntax 
Notation.1) etc.. See [ITU-T Rec. X.690, ASN.1 encoding rules: Specification of BER, Canonical ENcoding rules (CER), 
and Distinguished encoding rules (DER), 1994]. 

The identification name is converted, as shown Fig.11, by allotting an index to the encoded identification name of 
MOI. 

In Fig. 11, "r" denotes the identification name comprising "1" and "0" of input MOI, " I r I " denotes a bit length of 
the identification name "r". "n" denotes a number of MOI in the naming tree, "N" denotes a number of bits of the index 
allotted tothe identification name "r". "[x]" denotes an integer rounded up from a value x. "XOR" denotes some exclusive 
OR as shown in an equation 3. 

45 

(equation 3) 

X,yG {0,1} 
X XOR y =0 (when x=y) 
x XOR y =1 (when XT^y) 

In the steps shown in Fig.11, 

55 

(1 ) A conversion is started by an input of MOI having the identification name r. 

(2) In a step SI, a value N is calculated by N=[log2n] from the number n of MOI in the naming tree. Namely, it is 
possible to indicate all of MOI by an index which is N bits sequence. 
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(3) In a step S2, the identification name r is divided to nn blocks Bi (1 ^m), wherein a number of each block is 
N bits. A value "0" is applied to an m-th block B^^ if an insufficiency of a bit occurs in the m-th block B^. 

(4) In a step S3, an exclusive OR of a j-th bit bjj (1 ^ j ^ N) of each block Bj is calculated as Cj = b^j XOR b2j XOR 
b3j . . . XOR b^j, 

5 (5) The identification name r is converted to an N bits sequence C-, C2C3 • • • C^^ by using Cj and the N bits sequence 

C-1C2C3 • • • C,y| is outputted as an index. Namely, the index is made by putting said calculated value Cj from C-, to 
C|sj in order. 

(6) The index allots O-^-n-l in decimal to n MOI on the naming tree. There is not same index among MOI because 
of using XOR. While the length of the identification name r is not constant among MOI on the naming tree, it is 
70 possible to use an index having a constant length because of the conversion of C1C2C3 • • • C^. Further, it is 

possible to achieve a high speed access the length of the index C-1C2C3 - - - shorter than the length of the 
identification name r 

An example of the conversion of the identification name, wherein input identification name r is 10001000 00001110 
15 10110001 00010000 11 0001 00 0001 1000 and a number n is 100. 

(1 ) In the step SI , N=[log2l 00]=[6.6438 • • •]=?. 

(2) In the step S2, I r I =48, m=7 from (48/7)+1 , then the identification name r is divided to 7 blocks Bi (1 ^i ^7), 
wherein a number of each block is 7 bits. A value "0" is applied to the 7-th bit of final block B7 because N x n- I r 

20 I =49-48=1. Namely 

Bi = 1000100, B2=0000011, B3=1010110, B4=0010001, B5=0000110, 
B6=0010000, 67=0110000 

(3) For example, in the 1st bit b,-, of each block Bj (1 ^ i ^N), the 1st bit 0^ = 1 XOR 0 XOR 1 XOR 0 XOR 0 XOR 
0 XOR = 0 because of b^^^l, b2i=0, b3-, = 1 , b^^=0, bg^^O, bg-j^O, b^^^O. 

25 (4) In the same way C2=1 , C3=0, 04=0, 05=1 , C6=1 , 07=0. 

(5) Then the identification name r is converted to "01 0011 0" based of the bit sequence C-, 020364050607=01 001 1 0. 

(Detailed description 2 of pre-processing : enumeration step) 

30 In the enumeration step, as shown in Fig. 12, MOI included within scope is obtained at every scope of all scope 

designated by the management operation. Therefor, as defined by equations 4—7, a matrix A having a size of n x n 
and a matrix C having a size of n x n. The matrix A is a connection matrix which denotes the naming tree. In a step12 
shown in Fig. 12, while the BaseTo(i-l )thLevel scope becomes to a BaseToOth Level scope, the BaseToOth Level scope 
is treated as a BaseObject scope. 

35 

(equation 4) (ajp=1 , when MOIj with index i is a parent of MOIj with index j on the naming tree T, 
{Si.-)-0, when MOIj with index i is not a parent of MOI^ with index j on the naming tree T, 

40 

wherein (ajj) is an element on i-th line and j-th row of the matrix A. 

(equation 5) A°=E (unit matrix) 

45 

(equation 6) a' =A* A^'""* * (i^ 1 ) 



50 (equation 7) c' =A°+aVa^+ • • • +a' 

In fig. 12, 

(1 ) In a step SI , A^ and C^ (1 ^x ^D) are calculated until A "+"'=0, wherein D is depth of the naming tree T. 

(2) In step 82, i and A' are initialized as i=1 and A' =A*A('-'') =A. 

(3) In a step S3, when MOI having index j is indicated as MOIj , j is initialized as j=0. 

(4) In a step S4, it is judged whether MOh satisfies a condition indicated in next step S5. If not satisfied, the step 
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S5 is done. If satisfied, a step S8 is done. 

(5) In the step S5, when (a ' indicates an element in j-th line of A' or an elennent of which line is MOIj of a certain 
matrix A' , it is judged whether (a ' ) is 0 about all k. If not satisfied, the step S6 is done. If satisfied, a step SI 2 
is done. 

(6) In the step S6, it is judged that ithLevelOnly scope of which BOI is MOIj includes MOI,^ , wherein (a' j,^)=1 . Then 
a step S7 is done. 

(7) In the step S7, when (C ' indicates an element in j-th line of C or an element of which line is MOIj of a certain 
matrix C', it is judged that BaseToith Level scope of which BOI is MOIj includes MOI|^, wherein (C'j|^)=1 . Then a step 
S8 is done. 

(8) In the step S1 2, WholeSubtree scope of which BOI is MOIj is treated as BaseTo(i-1 )thLevel scope. Then a step 
S8 is done. 

(9) In the step S8, j is increased by 1 . Then a step S9 is done. 

(10) In the step S9, it is judged whether j is smaller than n. If true, the step S4 is done. If false, a step S10 is done. 

(11) In the step S10, i is increased by 1, namely the matrix A' is changed into a matrix A'+"' and the matrix C' is 
changed into a matrix C'-^"". 

(1 2) In an step S11 , it is judged whether i is smaller than D+1 . If true, the step S3 is done. If false, the enumeration 
is finished. 

(example of enumeration) 

An example of the enumeration step is explained on the naming tree T shown in Fig. 13. The connection matrix A 
of the tree T is shown in the equation 8. The matrix is started from 0-th line and 0-th row. 



(equation 8) 



r 01100000 
00000000 
00011100 
0000001 1 
A= 00000000 
00000000 
00000000 
00000000 



(1) In the step SI shown in Fig. 12, A^A^A'^.O^ and are obtained as shown in equations 9~13 based on the 
equations 6 and 7. 
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(equation 9) 



ooomoo 

00000000 
0000001 1 
00000000 
00000000 
00000000 
00000000 
V 00000000 



(equation 10) 



s3- 



r 00000011 

00000000 
00000000 
00000000 
00000000 
00000000 
00000000 
I 00000000 



(equation 1 1 ) 



^ 00000000 
00000000 
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(equation 1 1 ) 

r 01 111 100 ^ 

I 00000000 

0001 1 n 1 

00000011 
00000000 
00000000 
00000000 
^ 00000000 . 

(equation 12) 

oiiiini ^ 

OOOGOOOO 
00011111 
0000001 1 
00000000 
00000000 
00000000 
00000000 > 

(2) i is set as i=1 in the step S2 and j is set as j=0 in the step S3. 

(3) In the step S4, MOIj does not satisfy the condition indicated in the step S5. Then the step S5 is done. 

(4) In the step S5, (a' is not 0 about all k. Then, the step S6 is done. 

(5) In the step S6, ith(1st)LevelOnly scope of which BOI is MOI j (=IVIOIo) includes MOI-, and IVIOI2 , because of 
45 (ai oi)=1 and(a^ 02)=1- 

(6) In the step S7, BaseToith Level (=BaseTolstLevel) scope of which BOI is MOI j (=MOIo) includes MOIq, MOI-, 
and MOI2, because of (0^ oo)=t (^^ 01)="' ^"^^ (^^ 02)="' 

(7) In the step S8, j=j+1 =0+1-1 and j=1<n=8. The step S4 is done because the judgement in the step S9 is false. 

(8) In the step S4, MOI, does not satisfy the condition indicated in the step S5. Then the step S5 is done. 

50 (9) In the step S5, (a"" -| |^) is 0 about all k. Then the step SI 2 is done because the judgement in the step S9 is false. 

(10) In the step SI 2, WholeSubtree scope of which BOI is MOIj (=MOIo) is treated as BaseTo(i-1 )thLevel (= Ba- 
seToOthLevel= BaseObject) scope. 

(11) By repeating same process, at every scope, a set of MOI included to scope. 

55 (step for making a corresponding table) 

A table indicating a correspondence between scope and MOI included within scope is made by using the above- 
mentioned results. The table shows a part of the table corresponding to the naming tree T shown in Fig. 13. Namely, 



10 

75 



30 



11 



EP 0 863 645 A2 



all of scope is indicated as a combination of a type of scope and MOI. Regarding to each scope all of which can be 
designated in a managennent operation, an arrangement "scope[]" of which size is n and which represents an MOI 
included in the scope is obtained as, 

scope[i]=1 if an MOIj is included in the scope, 

scope[i]=0 if an MOIj is not included in the scope. Then, the corresponding table is made by obtaining "scope[]" . 



(table 4) 



BOI 


type of scope 


0 12 345 67 


0 


BaseObject 


10000000 


0 


BaseTo 1st Level 


11100000 


0 


BaseTo2ndLevel 


11111100 


0 


WholeSubtree 


11111111 


0 


IstLevelOnly 


01 100000 


0 


2stLevelOnly 


000 11100 


0 


SrdLevelOnly 


0000001 1 


1 


BaseObject 


01000000 


2 


BaseObject 


00 100000 


2 


BaseTo 1st Level 


00111100 


2 


WholeSubtree 


00111100 


2 


IstLevelOnly 


000 11100 


2 


2stLevelOnly 


000000 1 1 



Referring to an example shown in the table 4 and Fig. 7 and Fig. 8, a process to decide an access denial and 
permission will be described. 

(example of decision for an access denial) 

In Fig. 7, objects of management operation are J, L,M and N out of all MOI indicated by A ~N on the naming tree 
T. Therefor, scope[i]=1 denotes that MOIj is included within scope and scope[i]=0 denotes that MOIj is not included 
within scope. Size of scope[] is n (A^ N). Then scope[] becomes as below. Further, in the table 3, access to the targets 
1 ( MOIq, MOIp, MOIq, MOIj) by the initiator X is denied because of the item denial rule 1 . Therefor, targets[i]=1 denotes 
that MOIj is protected and targets[i]=0 denotes that MOIj is not protected. Size of targets[] is n. Then targets[] becomes 
as below. 

ABCDEFGHIJKLMN 
scope [] - OOOOOOOQOl on 1 
targets[]= 001001 IQOl 0000 

Wherein, scope[]=00000000010111 (n=14) is quickly and easily obtained by previously making the corresponding 
table of the tree shown in Fig. 7 in the above-mentioned step, because the object of the management operation shown 
in Fig. 7 can be designated by WholeSubtree scope of which BOI is MOIj. 

By the step S3 shown in Fig. 14, a denial of each bit element of " targets []" is a bit sequence of 11011001101111 . 
I n each bit, a logical product (logical and) between the "scope[]" (= 0000000001 01 1 1 ) and a denial (=1 1 01 1 001 1 01 1 1 1 ) 
of the "targetsG" (=00100110010000) is calculated. 

Then scope[] becomes as follows. 

ABCDEFGHIJKLMN 
scope []= 00000000000111 
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Namely, access to only MOIjis denied and access to MOI|_, IVIOI[y and MOI|s| are not denied. 

(example of decision for an access permission) 

In Fig. 8, objects of management operation are D, E^F and G out of all MOI indicated by A~N on the naming tree 
T. Therefor, scope[i]=1 denotes that MOIj is included within scope and scope[i]=0 denotes that MOIj is not included 
within scope. Size of scope[] is n (A^ N). Then scope[] becomes as below. Further, in the table 3, access to the targets 
2 ( MOIq, MOIp, MOIq, MOIj) by the initiator Y is permitted because of the item permission rule 2. Therefor, targets[i] 
=1 denotes that MOIj is opened and targets[i]=0 denotes that MOIj is not opened. Size of targets[] is n. Then targets[] 
becomes as below. 

ABCDEFGHIJiaMN 
scope [] 0001 1 1 10000000 
targets[]^ 00010110000000 

Wherein, scope[]=0001 1 1 1 0000000(n=1 4) is quickly and easily obtained by previously making the corresponding 
table of the tree shown in Fig. 8 in the above-mentioned step, because the object of the management operation shown 
in Fig. 8 can be designated by 2ndLevelOnly scope of which BOI is MOI;^. 

By the step S4 shown in Fig. 14, in each bit, a logical product (logical and) between "scope[]" (=00011110000000) 
and "targetsQ" (=00010110000000) is calculated. 

Then scope[] becomes as follows. 

ABCDEFGHIJKLMN 
scope[]= 0001 on 0000000 

Namely, access to MOIp, MOIp and MOIq are permitted, 
(renewal of corresponding table) 

A renewal of the corresponding table will be described. 

As mentioned-above, the configuration of the naming tree may be changed when a new MOI is generated or added 
and when an old MOI is deleted. Therefor it is necessary to renew the table. 

(generation of MOI) 

Fig. 15 shows a step for renewing the table when a new MOlm^ is added to the naming tree. 

(1) In a step SI in Fig. 15, all MOI on a route from a MOlm-, upper than MOlm^ to a root MOImp are named as 
MOIm-|, MOIm2, • • • MOImp in order from MOlm-,. 

(2) By a step S2 in Fig. 15, in the corresponding table, MOlm^ is added to a BaseTojth Level scope (i ^ j) , a 
WholeSubtree scope and an ithLevelOnly scope each of which BOI (Base Object Instance) is an MOImj (1 ^ i ^ p ). 

(example of generation of MOI) 

An example of renewal, when MOl8(=mJ is added as a child of MOl5(=m-|) to the naming tree T shown Fig. 16, 
will be described. 

(1 ) ) step SI : A parent of MOI5 is a 2nd (=m2) line in a 5th (=m-|) row of which value is "1 " in the matrix A. In the 
same way, a parent of MOI2 is a 0th (=m3) line in a 2nd (=m2) row of which value is "1 " in the matrix A. Because 
MOIq is root, MOIm-i = MOI5, MOIm2= MOI2 and MOIm3=MOIo are root. 

(2) Step S2 : MOl8(=mJ is added to a BaseTojth Level scope (1 ^ j) , a WholeSubtree scope and a IstLevelOnly 
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scope each of which BOI (Base Object Instance) is MOInn-|. MOI3 (=nn g) is added to a BaseTojth Level scope (2 
^ j) , a WholeSubtree scope and a 2ndLevelOnly scope each of which BOI (Base Object Instance) is MOInn2. 
MOl8(=nn a) is added to a BaseTojth Level scope (3 ^ j) , a WholeSubtree scope and a SrdLevelOnly scope each 
of which BOI (Base Object Instance) is MOInn3. Namely, scope[8]=1 is added to above-nnentioned scope, scope 
5 [8]=0 is added to other scope. 

(deletion of MO!) 

Fig. 17 shows a step for deleting the table when an old MOlm^ is deleted fronn the naming tree. 

10 

(1) In a step SI in Fig. 17, all MO! on a route from a MOlm-, upper than MOlm^ to a root MOImp are named as 
MOlm^, MOIm2, • • • MOImp in order from MOlm-,. 

(2) By a step S2 in Fig. 17, in the corresponding table, MOlm^ is deleted from a BaseTojth Level scope (i ^ j), a 
WholeSubtree scope and an IthLevelOnly scope each of which BOI (Base Object Instance) is an MOImj (1^1^ p). 

15 

(example of deletion of MOI) 

An example of deletion, when MOI7 which is a child of MOI3 is deleted from the naming tree T shown Fig. 18, will 
be described. 

20 

(1 ) step SI : A parent of MOI7 (= m^i ) is a 3rd (=mi ) line in a 7th row of which value is "1 " in the matrix A. 
In the same way, a parent of MOI3 (=m-|) is a 2nd (=m2) line in a 3rd (=m-|) row of which value is "1 " in the matrix 
A. Because MOIq is root, MOlm-, - MOI5, MOImg - MOIg and MOImg^MOIg are root. 

(2) Step S2 : MOI7 (^m^^) is deleted from BaseTojth Level scope (1 ^ j), WholeSubtree scope and IstLevelOnly 
25 scope each of which BOI (Base Object Instance) is MOlm-, . MOI7 (=m ^i) is deleted from BaseTojth Level scope (2 

^ j), WholeSubtree scope and 2ndLevelOnly scope each of which BOI (Base Object Instance) is MOIm2. MOI7 
(=m ci) is deleted from BaseTojth Level scope (3^j) , WholeSubtree scope and 3rdLevelOnly scope each of which 
BOI (Base Object Instance) is MOImQ. Namely, scope[7]=1 is deleted from above-mentioned scope, scope[7]=0 
is deleted from other scope. 

30 

Above-mentioned process is generally carried out by a computer. Namely, the computer carries out the process 
by reading data which were programed data of the process and readable data to the computer and stored in a recording 
medium. Then the computer is an apparatus having a function which carries out above-mentioned process. 

55 (effect of the invention) 

The present invention has following effect (1 ) and (2) than the prior art. 

(1 ) Calculation amount is smaller than the prior art of access control using the management operation as access 
40 unit. 

(2) Fine access control using the managed instance object as access unit is possible. 

Further, by converting to the index from the identification name of MOI, it is possible to unify the bit length of the 
identification name and quick access to MOI is possible. By the enumeration process, it is possible to simply and clearly 
45 indicate MOI which is included within scope which can be designated by the management operation and it is possible 
to simply and clearly indicate the object to be protected or opened. By renewing the corresponding table, it is possible 
to simply and easily adapt to a change of MOI which occurs based on the addition or deletion of MOI on the naming 
tree. Further by calculating a logical product in each bit of "scope[]" and "targets[]", it is possible to simply and easily 
obtain the intersection between scope and the protected object or the opened object. 

50 

Claims 

1 . A method for converting a name of MOI (Managed Object instance) in a name tree to an index, wherein "n" denotes 
55 a number of MOI in the name tree, "[x]" denotes an integer rounded up from a value x and "XOR" denotes an 

exclusive OR, said method comprising: 

a step for dividing a bit sequence to m blocks Bi (1 ^ i ^ m), wherein a number of each block is N which is 
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given as a [log2n], 

a step for calculating an exclusive OR of a j-th bit bjj (1 ^ j ^ N) of each block Bj as Cj = b-,j XOR b2j XOR bsj 
• . • XOR b^j, 

a step for making an N bits sequence C-1C2C3 • • • C|sj as an index of an identification name by putting said 
5 calculated value Cj from C-, to C,^, 

wherein a value "0" is applied to an m-th block B if an insufficiency of a bit occurs in the m-th block B^ . 

2. A method for enumeration of some scope wherein, regarding to each scope all of which can be designated in a 
70 management operation, an arrangement "scope[]" of which size is n and which represents an IVIOI included in the 

scope is obtained as, 

scope[i]=1 if an MOIj is included in the scope^ 
scope[i]=0 if an MOIj is not included in the scope. 

75 3. A method for enumeration of some scope wherein, when new MOlm^ is added to a name tree, the MOlm^ is added 
to a BaseTojthLevel scope (i ^j) of which BOI (Base Object Instance) is an MOIj (1 ^ i ^ p), a WholeSubtree 
scope and an ithLevelOnly scope, wherein MOI on a route from a MOIm., upper than MOIm^to a root MOImp in 
the MOIm^to be added is put in order from MOlm^ as MOIm-,, MOIm2; • • • MOImp. 

20 4. A method for enumeration of some scope wherein, when an MOlm^ is deleted from a name tree, the MOlm^ is 
deleted from a BaseTojthLevel scope (i ^j) of which BOI (Base Object Instance) is an MOIj(1 ^ i ^ p), a WholeSub- 
tree scope and an ithLevelOnly scope, wherein MOI on a route from a MOIm-, upper than MOlm^ to a root MOImp 
in the MOIm^j to be deleted is put in order from MOIm-, as MOIm-, , MOImg; • • • MOImp. 

25 5. A method for enumeration of atarget wherein, regardingto each targets MOI which is a protect target to be protected 
from an authority or an open target to be opened to an authority, an arrangement " targets[]" of which size is n and 
which represents the target MOI is obtained as, 
targets[i]=1 if an MOIj is protected or opened, 
targets[i]=0 if an MOIj is not protected and not opened. 

30 

6. A method for making a table wherein, regarding to each scope all of which can be designated in a management 
operation, a table corresponding to an MOI included in the scope is made. 

7. A method for detecting an intersection wherein, an intersection between an management object and an protect 
55 object is obtained by calculating in each bit a logical product (logical and) between the " scope[]" obtained in claim 

2 or 3 or 4 or 6 and a denial of the " targets[]" obtained in claim 5 which is shown in below equation 1 , 



(equation 1 ) denial of "targets[]"="targets[]" 

40 

8. A method for detecting an intersection wherein, an intersection between a management object and a protect object 
is obtained by calculating in each bit a logical product (and) between the "scope[]" obtained in claim 2 or 3 or 4 
and the "targets[]" obtained in claim 5. 

45 9. An access control method by using MOI as an access unit comprises; a step for calculating in each bit a logical 
product (logical and) between a denial of each "targets[]" in an item denial rule obtained in claim 5, which is shown 
in below equation 2, and the "scope[]" obtained in claim 2 or 3 or 4 or 6, 



(equation 2) denial of "targets[]"=" targets[]" 

and, a step for allowing only an MOI of which scope[i] is 1 based on said calculation. 

10. An access control method by using MOI as an access unit comprises; a step for calculating in each bit a logical 
55 product (logical and) between each"targets[]" in an item permission rule obtained in claim 5 and the "scope[]" 

obtained in claim 2 or 3 or 4 or 6, and a step for allowing only an MOI of which scope[i] is 1 based on said calculation. 
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